Ricardo Gameroff, Managing Partner at Kreston BA Argentina and Global Audit Business Development Director at Kreston Global, emphasises the crucial role of internal audit in combating cyber threats. His article in the Audit & Risk magazine, the Chartered IIA’s publication, discusses how evolving internal audit practices enhance resilience against threats like ransomware, phishing, BEC attacks, and brand impersonation through meticulous risk assessment and proactive monitoring. Click here to access the complete publication, or read the summary below.
Internal audit as a defensive tool
Internal audits have always played a key role in mitigating cyber risks and protecting organizational assets. Moreover, recent advancements in auditing processes have expanded its capabilities beyond traditional methods. Now, internal audit teams can leverage innovative technologies to adapt quickly to evolving cyber threats.
Key recommendations for internal audit teams:
- Continuous monitoring: Use automated tools and analytics to monitor network activity, detect anomalies, and identify potential security breaches in real time.
- Enhance cyber security skills: Invest in ongoing training and professional development to keep up with emerging threats and best practices.
- Integrate data analytics: Use data analytics to improve risk assessment and detect suspicious activities by analysing large data sets for patterns and anomalies.
- Collaborate with IT and security teams: Work closely with IT and security departments to understand the organisation’s IT infrastructure and vulnerabilities, tailoring audit procedures to the risk profile.
Ethical artificial intelligence
A strong understanding of ethics and a robust corporate culture are crucial for protecting organizations against cyber threats. Additionally, internal audits can help management monitor and support organizational culture. Consequently, this ensures all employees understand expected behaviors regarding cybersecurity and ethics. This fosters good decision-making and strengthens governance and controls.
With the rise of AI in decision-making and automation, ensuring transparency, accountability, and bias-free systems is essential. Furthermore, internal auditors can aid in implementing ethical AI practices by auditing AI algorithms and ensuring regulatory compliance. Early involvement in AI initiatives allows auditors to advise on risks and suggest solutions.
Components cyber preparedness
Preparation is key in combating cyber threats. Establishing enterprise cyber preparedness involves governance, strategy, incident response, and employee training.
- Governance and strategy: Internal audit should support and advise on effective cyber security management, helping to establish clear policies, procedures, and accountability structures. Defining roles, responsibilities, and strategic objectives aligned with business goals is crucial.
- Risk assessment: Regular risk assessments help identify and prioritise cyber risks, allowing for efficient resource allocation and targeted mitigation strategies.
- Incident response: Organisations need a formal incident response plan with designated teams and regular training exercises. Proactive measures like threat intelligence monitoring and incident detection systems are essential for swift and effective responses.
- Employee training: Educating employees on cyber threats and best practices is vital, as human error remains a common cause of incidents. Regular training on phishing, password security, safe internet usage, and security awareness campaigns fosters a culture of vigilance.
Internal audit preventing incidents
It’s difficult to find examples of internal audits preventing cyber security incidents, as “near misses” aren’t publicised. However, successful cyber attacks often highlight how effective audit practices could mitigate or prevent breaches.
In the automotive industry, the 2023 Tesla data breach affected over 75,000 individuals due to an “inside job” by two former employees. This incident underscores the importance of comprehensive employee training, stringent access controls, regular audits, and whistleblower policies to detect unauthorised access and risky behaviour.
In the financial services sector, the March 2017 Equifax data breach, which affected nearly 150 million people, resulted from attackers exploiting IT system vulnerabilities. Additionally, while external attacks are complex to prevent, internal audit teams focusing on robust cyber security measures, data management practices, and internal controls can help detect breaches quickly and ensure swift damage mitigation and notification.
Mailchimp, a provider of email marketing services, has faced numerous data breaches due to social engineering attacks on its employees, resulting in compromised user accounts and customer data exposure. Internal audits should ensure employees receive adequate cyber security training and assess the implementation of two-factor authentication and practical identity management practices. Additionally, policies and systems must be in place to detect and mitigate vulnerabilities swiftly and promptly address breaches.
As technology evolves rapidly, so do the associated risks. Internal audit must adapt its practices and utilise technology advancements, such as AI, data analytics, and machine learning, to proactively identify potential vulnerabilities and predict emerging threats. Internal audit teams capable of foreseeing future risks can provide valuable guidance to management, positioning the organisation optimally to respond to inevitable cyber-attacks.
Author: Ricardo Gameroff, Partner, Kreston BA Argentina, Argentina
Reposted from: https://www.kreston.com/article/internal-audit-in-age-of-cyber-threats/